httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject Re: mod_cgissi
Date Sun, 03 Nov 1996 23:04:05 GMT
On Sun, 3 Nov 1996, Nathan Neulinger wrote:
> At 2:14 PM -0800 11/3/96, Brian Behlendorf wrote:
> >So, our engineers here are screaming for a way to do SSI parsing on CGI
> >output.
> >They're not happy with the answer that Apache 2.0 will probably be able to do
> >that; and they're happy to have a special-cased module which does this apart
> >from mod_cgi and mod_include.  So, module-gurus out there: is there any reason
> >why this should be incredibly difficult to do?  Any pointers or tips?
> 
> Other than the that the very idea makes me cringe...  Anyone is going to
> have to excape almost 100% of their output... With that, you couldn't even
> print out what the user typed in without checking it for characters that
> would need to be protected.
>
> I would hate to think that the apache group would ever distribute such a
> module.

Hmm, I'm not sure I follow you.  What I'd like to do is simply allow something
like (as a base case example)

  #!/usr/local/bin/perl
  print "Content-type: text/html\r\n\r\n";
  print <<EOM;
    <!--#include virtual="/header.html" -->
  EOM

What needs to be escaped or protected?  
 
> Technically, I don't see any reason why it would be any more difficult than
> doing it for regular files, but it would open such an unvelievably gaping
> security hole.
> 
> Think about it, even standard things like the error page that says "please
> contact the administrator of the referring url." What happens if the URL
> they requested has a SSI embedded in it... Or any similar type of thing.
> Outputting data from a CGI script should not be a security risk. Before,
> all you would have to do is trust what you do with input as far as
> exevuting commands. Even the basic test cgi that echo's the input would be
> a security hole.

Not sure what you mean by security hole, either.  If you let users write SSI
pages, why not let the output of their CGI scripts be parsed by SSI as well?
What can you "do" with CGI output to be parsed by SSI that you can't do with
a regular SSI document?

> I'm not a voting member, but if I were I'd give even considering this one a
> big negative vote.

I'm not proposing this to the group, I was just asking for guru-help.  

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  www.apache.org  hyperreal.com  http://www.organic.com/JOBS


Mime
View raw message